The short answer is yes, you need to whitelist a public blockchain data provider in your tokenscript (opensea, amberdata) and get the picture using Javascript. We ought to provide examples of doing so:) We should do it quickly. Please wait in line when we prepare an example implementation.

The longer answer is there are 3 ways to do so.

Whitelist a web service as a data source.

Provide an attestation.

Provide a transformation rule.

Only the first will be supported in this year. However, it is also the least secure and least available. By "secure" I mean there is cryptographic proof that your computer-graphics are genuine; bu "available" I mean it is subject to the availability of the web service. Most web services either disappear or change the request format in a few years.

The second method would require you as a token issuer to provide (a mechanism to let the user get) a signed data package about the token. Take an imaginary BookToken as an example, the cover picture of the book can't be saved on the blockchain. You can sign it and send it to the user as an attestation, which comes up when the token comes up.

The third method is the most elegant. You can provide a transformation rule on how to transform data like TokenID into an image. This requires quite a bit of XSLT+SVG knowledge and is a project of its own.